Tshark not decoding f1ap_f1ap_RRCContainer

  • retag add tags

We want to use the Tshark to convert the existing Pcap file into the ELK json file. Our PCAP file contains the dump of 5G F1AP/NGAP messages. In the output json file, all the messages are decoded fully except where the field is f1ap_f1ap_RRCContainer. This field value is still in hexstring format. Can someone help in how to decode this with tshark?

Dig Vijay's avatar
1
Dig Vijay
asked 2022-05-24 11:38:34 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What version of tshark are you running (tshark -v)?

Past work on this:
rrc container not decoded in F1AP
F1AP: dissect more RRC containers
MR: F1AP: dissect more RRC-Container instances
commit: F1AP: dissect more RRC-Container instances

If the latest tshark doesn't decode properly, can you share a capture file on a public file share and update the question with a link to it.

Chuckc's avatar Chuckc (2022-05-24 14:02:04 +0000) edit
more
  • delete

we are using TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

Dig Vijay's avatar Dig Vijay (2022-05-24 14:35:43 +0000) edit
more
  • delete

we are using TShark (Wireshark) 3.2.3 (Git v3.2.3 packaged as 3.2.3-1)

That's a very old version. 3.6.5 is the current stable release.

grahamb's avatar grahamb (2022-05-24 15:27:55 +0000) edit
more
  • delete

Thanks grahamb , after updating the version to 3.6.5 it is working.

Dig Vijay's avatar Dig Vijay (2022-05-25 10:23:05 +0000) edit
more
  • delete

Hi Dig Vijay, Could you help me to provide the command you run decode message success because I have tried update the version tshark 3.6.5 but it's not decode successfully?

tudoinon's avatar tudoinon (2022-10-25 03:25:06 +0000) edit
more
  • delete
add a comment see more comments